Penetration Testing - a way for improving our cyber security

The OWASP Foundation

http://www.owasp.org

OWASP EU Tour

Bucharest 2013

Penetration Testing

- a way for improving our cyber security

Adrian Furtunǎ

, PhD, OSCP, CEH

2

Agenda



Who am I



Why this topic



Case study 1



Case study 2



Lessons learned



Conclusions

Who am I



Member of the Pentest Team at KPMG Romania



Doing pentests against various applications and systems:



Internal networks, public networks



Web applications



Mobile applications



Wireless networks



Social engineering, etc



Speaker at Hacktivity, DefCamp, Hacknet and other local security

confs



Teaching assistant at Information Security Master programs (UPB,

MTA and ASE)

Why this topic?



The need for more efficient cyber

security



Penetration testing is part of the

defense-in-depth approach



Verify the effectiveness of defense mechanisms and people



Find weak spots in defense layers



Show the real risk of a vulnerability



Suggest corrective measures



Re-verify

4

Is my data safe?

To better clarify terms…



Penetration Testing a.k.a. Pentesting, Ethical Hacking, Red Teaming



Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders



Exploit vulnerabilities and dig much deeper



Penetration Testing is:



Authorized



Adversary based



Ethical (for defensive purposes)



Penetration Testing

is not

Vulnerability Assessment / Scanning

Manual tests find this

Case Study 1

Pentesting the internal network (2011)



Objective:

See what an internal malicious user could do, given simple network

physical access.



Malicious user:

visitor, contractor, malicious employee



Targets:

confidential data, client information,

strategic business plans, etc

Pentesting the internal network (2011) – cont.

Pentesting the internal network (2011) – cont.

1.

Network mapping



IP ranges

Pentesting the internal network (2011) – cont.

1.

Network mapping



IP ranges



Host names

2.

Service and OS discovery



Windows 7



Windows 2008 Server R2



Common client ports open



IIS, MsSQL, Exchange, etc

Pentesting the internal network (2011) – cont.

1.

Network mapping



IP ranges



Host names

2.

Service and OS discovery



Windows 7



Windows 2008 Server R2



Common client ports open



IIS, MsSQL, Exchange, etc

3.

Vulnerability scanning



Nessus: 1 high, 30 medium, 39 low

Pentesting the internal network (2011) – cont.

4.

Exploitation

Pentesting the internal network (2011) – cont.

4.

Exploitation

Pentesting the internal network (2011) – cont.

4.

Exploitation



Add local admin

5.

Post-exploitation



Info gathering



Credentials to other systems

Pentesting the internal network (2011) – cont.

4.

Exploitation



Add local admin

5.

Post-exploitation



Info gathering



Credentials to other systems

6.

Pivoting



Connect to 2nd _{db server}

Pentesting the internal network (2011) – cont.

4.

Exploitation



Add local admin

5.

Post-exploitation



Info gathering



Credentials to other systems

6.

Pivoting



Connect to 2nd _{db server}



Upload Meterpreter

7.

Post-exploitation



List tokens



Impersonate Domain Admin token



Create Domain Admin user

16

Pentesting the internal network (2011) – cont.



Game Over

Case Study 2

Pentesting the (same) internal network (2012)



Objective:

See what an internal malicious user could do, given simple network

access.



Test the findings from previous year



Malicious user:

visitor, contractor, malicious employee



Targets:

confidential data, client information,

strategic business plans, etc



Initial access:

network port in users subnet

Pentesting the (same) internal network (2012) – cont.

1.

Network mapping



~ the same as last year

2.

Service and OS discovery



~ the same as last year

Pentesting the (same) internal network (2012) – cont.

1.

Network mapping



~ the same as last year

2.

Service and OS discovery



~ the same as last year

3.

Vulnerability scanning



Nessus: 0 high, 21 medium, 20 low

Pentesting the (same) internal network (2012) – cont.

1.

Network mapping



~ the same as last year

2.

Service and OS discovery



~ the same as last year

3.

Vulnerability scanning



Nessus: 0 high, 21 medium, 20 low Now what?



No default/weak passwords



No missing patches



No exploitable config problems



No sql injection…

Pentesting the (same) internal network (2012) – cont.

Pentesting the (same) internal network (2012) – cont.

4.

Attack the clients – method 1



Setup a fake local NetBIOS server



Respond to every request with my IP address



Setup multiple local services (HTTP, SMB)



Request Windows authentication on connection => capture password hashes

Pentesting the (same) internal network (2012) – cont.

4.

Attack the clients – method 1 – cont.



Captured around NTLM 50 hashes



Cracked about 25% using dictionary attack with mangling rules in a few hours



Gained network access as domain user (low privileges)



Could access some shared files on file server

Pentesting the (same) internal network (2012) – cont.

4.

Attack the clients – method 2



Man in the middle attack between victim and proxy server



Setup a fake local proxy server



Request Basic authentication



Receive user’s credentials in clear text (base64 encoded)

Pentesting the (same) internal network (2012) – cont.

4.

Attack the clients – method 2 – cont

The victim sees this:

Pentesting the (same) internal network (2012) – cont.

5.

Exploitation



Got local admin password (global) from a special user 



Could connect as admin on any workstation

Pentesting the (same) internal network (2012) – cont.

5.

Exploitation



Got local admin password (global) from a special user 



Could connect as admin on any workstation

6.

Pivoting



Search the machines from IT subnet for interesting credentials / tokens



Found a process running as a domain admin user

Pentesting the (same) internal network (2012) – cont.

5.

Exploitation



Got local admin password (global) from a special user 



Could connect as admin on any workstation

6.

Pivoting



Search the machines from IT subnet for interesting credentials / tokens



Found a process running as a domain admin user

7.

Exploitation



Impersonate domain admin



Add user to domain admin group

30

Pentest comparison

32

2011 2012

Low hanging fruits removed no yes IT personnel vigilance low high Network prepared for pentest no yes

Existing vulnerabilities yes yes (lower nr) Overall exploitation difficulty medium high

Consultant’s advice



Make yourself periodic vulnerability assessments (e.g. Nessus scans)



Prepare your network before a pentest (you should always be

prepared, btw)



An homogeneous network is easier to defend then an

heterogeneous one



Do not allow local admin rights for regular users



Patch, patch, patch

Conclusions



Penetration testing can be used for improving our cyber security



Do it periodically with specialized people



Mandatory for new applications / systems before putting in production



Vulnerability assessment is not penetration testing

Thank You!

Adrian Furtunǎ, PhD, OSCP, CEH

adif2k8@gmail.com